Denial of Service (DoS) Reported in SYNK

[pak-ferry]

Hey there, I found this issue while running security scan with SYNK. And, turned out there's a vulnerability. Hopefully there's a way to resolve this issue. Thank you.

Here's the error logs:
Issues with no direct upgrade or patch: ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-DECODEURICOMPONENT-3149970] in [email protected] introduced by @testing-library/[email protected] > [email protected] > [email protected] > [email protected] and 2 other path(s) No upgrade or patch available

[acode-x]

Have the same issue.

[NiklasPor]

FYI related GitHub advisory: GHSA-w573-4hg7-7wgq

[tiggem1993]

Hey I am also facing same issue.

[niji-DamienA]

Same issue !

[fionnachan]

saw it on GHSA-w573-4hg7-7wgq
please fix :( 🙏🙏🙏

[briandrutledge]

We saw this today also.....fix is needed ASAP. https://nvd.nist.gov/vuln/detail/CVE-2022-38900

[hello-alf]

Same issue Here!,

[brampurnot]

Same here!

[jhon-gomez-endava]

Any updates?

[josuevalrob]

%  yarn npm audit --all --recursive                
└─ decode-uri-component: 0.2.0
   ├─ Issue: decode-uri-component vulnerable to Denial of Service (DoS)
   ├─ URL: https://github.com/advisories/GHSA-w573-4hg7-7wgq
   ├─ Severity: low
   ├─ Vulnerable Versions: <=0.2.0
   ├─ Patched Versions: <0.0.0
   ├─ Via: lint-staged, jest-environment-jsdom, msw, @typescript-eslint/parser, eslint-config-airbnb-typescript, eslint-plugin-import, @storybook/addon-docs, @storybook/addon-essentials, @storybook/react, ts-jest

[NicholasJarr]

Same issue here!

[matz3]

If someone also faces this issue because of the css package: There is a maintained fork available which doesn't rely on "source-map-resolve" / "decode-uri-component": reworkcss/css#163 (comment)

[Madhust]

Just wondering, whether this repo is maintained actively. In the npm registry, It's been updated 5 years back. Not sure, is there any collaborator or maintainer for this package? I'm certain thousands of projects CI are prevented by this. FYI folks, I tried to contact @SamVerschueren on twitter but no reply yet.

[SamVerschueren]

I'll try to take a look today and release a fix.

[xavisegura]

I'll try to take a look today and release a fix.

Really appreciated. Thank you!

[SamVerschueren]

I just released a fix under v0.2.1. There's still a bug that I found, but it's somewhat unrelated and I will try to release a patch for it later. At least the package shouldn't blow up anymore (I hope 😂 ).

Thanks everyone for chiming in and sorry for the late replies 🙏 .

[briandrutledge]

Hey @SamVerschueren what is the bug still existing? Just wanted to understand that before having my engineering team update. :)

[SamVerschueren]

The issue is that %ea%ba%5a%ba gets incorrectly decoded into 媺 while it should be %ea%baZ%ba. Now this is really an edge case I think but would be good if it got fixed properly.

If the Snyk report is keeping you from installing or using the package, upgrading is definitely safe to do.

[hello-alf]

Thanks @SamVerschueren, you saved my work

[esterfania]

Thanks, @SamVerschueren 😄

[SamVerschueren]

Just released version 0.2.2 with a proper fix where some decoded values got removed in the output.

For instance

• %ea%ba%5a%ba -> %ea%ba%ba -> 媺 (basically dropping the %5a token)
  • After the fix this results in %ea%baZ%ba
• %C3%5A%A5%AB -> %C3%A5%AB ->å%AB (basically dropping the %5A token here as well)
  • After the fix this results in %C3Z%A5%AB

[xavisegura]

Thanks a lot @SamVerschueren

[vinay3206]

Issue still exists in 0.2.2
https://security.snyk.io/package/npm/decode-uri-component/0.2.2

[SamVerschueren]

I'll have a look first thing in the morning. I don't really know how to test these vulnerabilities myself.

[viceice]

I think the fixed version needs to be reported to snyk. the github report is already updated

GHSA-w573-4hg7-7wgq

maybe you also need to publish a security advisory inside this repo. 🤷‍♂️

[SamVerschueren]

So I looked at the security report for v0.2.2 and I don't know why they still report it but it's incorrect. The package handles that string correctly. I'll see what I can do for Snyk to pick up the patched version.

[SamVerschueren]

I don't know why that page indicates that version 0.2.2 is still affected because if you look deeper, it doesn't look like that's the case.

[SamVerschueren]

I'm in contact with Snyk to see what can be done here. I'll try to follow this up as close as possible.

[SamVerschueren]

I had a back-and-forth with someone from Snyk. He also saw that v0.2.2 doesn't get flagged anymore and suggested to wait until monday so I could run a new scan.

[SamVerschueren]

Oh, this page also doesn't show vulnerabilities anymore https://security.snyk.io/package/npm/decode-uri-component/0.2.2. So I guess we're good now? 🤷

[pak-ferry]

Hey there Sam, I think you did great work right there. Thank you for getting back to us!

[romellem]

Can anyone explain how this is a CVE? This seems like a bug rather than a vulnerability.

On certain inputs decodeComponents() could return a string, which means the call to decodeComponents(...).join('') throws an error. I don't see how that is related to a ReDoS attack.

[SamVerschueren]

It wasn't a vulnerability, it was just a bug like you said.

It was not flagged as ReDoS but as DoS in the sense that if you provided wrong input, you could make a server crash if the developer didn't have proper error handling.

This is just the thing with Snyk. People get paid per "vulnerability" they can find. Then you end up in situations like these where people get mad because their CI cant build the app anymore because of a stupid fake vulnerability...

[romellem]

I totally misread, every time I saw those "DoS" reports from snyk, it was always "ReDoS," so just assumed it was the same lame type of report.

And wow, they are really stretching the definition of "Denial of Service." Thanks for releasing this new version. I really appreciate you helping with this, even (if I'm guessing) you probably haven't thought about this library much since you first released 5 years ago.